Researchers have detailed new malware families used in previously disclosed attacks exploiting a vulnerability in Barracuda Email Security Gateway (ESG) appliances, and said that a “limited number” of victims remain at risk.
Barracuda in June urged some customers to replace their ESG appliances after initially deploying a series of patches for the remote code execution bug (CVE-2023-2868) in May. Also in June, Mandiant researchers, who partnered with Barracuda for incident response, said that the vulnerability had been exploited in the wild for eight months by a new “aggressive” threat actor, UNC4841, which researchers assessed is an espionage actor in support of the People’s Republic of China.
UNC4841 is highly persistent and retooled its malware tools and tactics shortly after Barracuda’s initial remediation efforts and public disclosure in May. However, in a new analysis on Tuesday, Mandiant researchers said that they also observed a previously undisclosed wave of attacks that began in early June and leveraged several new malware families.
“This second surge represented the highest intensity of UNC4841 activity identified by Mandiant across the entire campaign, demonstrating UNC4841’s determination in preserving access to specific victim environments,” said researchers with Mandiant in a Tuesday analysis.
In this newly disclosed wave of activity, the threat actor was trying to maintain access to compromised environments by deploying three new malware families. These include SKIPJACK, a backdoor that attackers used to target primarily government and technology organizations. The malware is deployed by trojanizing legitimate Barracuda ESG modules with malicious Lua code. Researchers found a code snippet that registered a listener for specific incoming email headers (either Content-OD or X-Barracuda-Spam-Info) before decoding and executing their content.
“Around the time of Barracuda’s initial notification regarding CVE-2023-2868, Mandiant observed UNC4841 creating bash scripts on previously compromised appliances with the filename of ‘mknod’ in the path ‘/boot/os_tools/’,” said researchers. “The ‘mknod’ bash script checks whether the ‘mod_content.lua’ script on the compromised appliance contains the string ‘OpenSSL’, and if not found, injects the code snippet… into the mod_content.lua script, effectively backdooring the legitimate Barracuda ESG module.”
Researchers said that SKIPJACK was the most widely deployed malware they discovered in this specific wave of attacks. Another malware family, DEPTHCHARGE (also tracked by CISA as SUBMARINE), was deployed by the attackers as a way to listen passively for commands, which it would then execute before sending the results (under the guise of SMTP commands) back to the C2. Finally, attackers deployed FOXGLOVE, a launcher that executes the hardcoded path for a payload called FOXTROT, a backdoor with capabilities like keystroke capture, shell command execution, file transfer and reverse shell creation. Based on these capabilities, researchers believe that attackers intended to deploy FOXTROT to other Linux-based devices within a network in order to enable lateral movement and credential theft.
“FOXTROT and FOXGLOVE are also notable in that they are the only malware families observed being used by UNC4841 that were not specifically designed for Barracuda ESGs,” said researchers. “Additionally, FOXGLOVE and FOXTROT were the most selectively deployed of all the malware families used by UNC4841. At this time, Mandiant has only observed UNC4841 deploy FOXTROT and FOXGLOVE at government or government related organizations that were high priority targets for the PRC.”
Researchers also provided further details about the campaign’s targeting, saying that almost a third of the impacted organizations were government agencies. Attackers targeted a number of local government organizations in addition to federal agencies, including municipal offices, social service offices and law enforcement entities. Of note, Mandiant said that 5 percent of active ESG appliances globally showed evidence of known indicators of compromise, and that since the patches were released in May researchers have not observed any newly compromised ESG appliances - in other words, all observed malicious activity has continued on those previously compromised devices.
Researchers and government agencies have both continued to urge impacted companies to replace their devices, with the FBI in a Flash Alert last week warning that even previously exploited appliances with patches from Barracuda remain at risk. Mandiant stressed that UNC4841 is highly responsive to any defensive efforts and has actively switched up their TTPs in an attempt to maintain access to victim environments.
“Due to their demonstrated sophistication and proven desire to maintain access, Mandiant expects UNC4841 to continue to alter their TTPs and modify their toolkit as network defenders continue to take action against this adversary, and their activity is further exposed by the security community,” said researchers with Mandiant.